Brexit and GDPR: what businesses should be doing to prepare for a ‘no deal’ scenario

Hope for the best, prepare for the worst

Shares

The increasingly real prospect of a ‘no-deal’ Brexit has serious implications for businesses across the UK. One very real concern is what impact a ‘no deal’ scenario would mean in terms of the European Union’s (EU) General Data Protection Regulation (GDPR).

Having expended serious time and effort on becoming GDPR compliant, UK companies are justifiably concerned about what they’ll need to do in the event of a ‘no deal’ Brexit.

After all, GDPR isn’t a law in and of itself. If it were, the UK could simply leave the EU and cease to be subject to it. Instead, it’s a European directive that requires member states to draft laws ensuring that their citizens abide by the regulations.

The UK has already done that, having signed the Data Protection Act into law in 2018. Should the country leave the EU without a deal, however, the picture changes dramatically.

No-deal scenario

In such a scenario, the UK would become a “third party” country, meaning that data cannot be shared between it and other countries in the European Economic Area (EEA) unless it is deemed to have “adequate” data protection laws in place.

In theory, the Data Protection Act, which is in line with GDPR, should mean that the UK remains safe in the immediate aftermath of Brexit. And if it continues to follow the EU’s lead when it comes to data protection, then there’s no reason why that should change.

As is the case with so much around Brexit, however, this can’t be taken for granted. Things can, and do, change quickly.

Even if the UK remains compliant with EU data directives, businesses will have to take certain steps to ensure that they can keep operating on the continent.

As solicitors Irwin Mitchell point out, these include:

“Data transfers: If you transfer data to and from the EU, you may need to re-legitimise this by putting in place standard contractual clauses.

Binding corporate rules: If you rely on BCRs blessed in the UK by the ICO, these may no longer be valid for the EU and you may need to have them blessed by a data protection authority of a remaining Member State.

EU representative: UK businesses that have operations processing personal data in the EU after Brexit may need to appoint a representative in the EU that will need to register with a data protection authority in one of the remaining member states.

‘One stop shop: UK companies lose the benefit of the “one stop shop”/“lead supervisory authority” regime in GDPR. Consider whether you will be required to deal with multiple regulators simultaneously in the event of an issue affecting people in more than one country.”

Preparing for a no-deal Brexit

While this worst-case scenario may seem difficult to contemplate, organisations shouldn’t adopt a “wait and see” approach when it comes to Brexit.

Instead, they should be hoping for the best and preparing for the worst. In addition to ensuring that they can take the above steps in the event of a no-deal Brexit, UK organisations will need to be doubly certain that they are GDPR compliant.

Ultimately, if UK organisations want to continue trading in Europe with as little disruption as possible, they’ll have to demonstrate that they have the requisite measures in place to protect customer data.

The last thing any UK organisation should do is think that Brexit gives it a “get out of jail free” card when it comes to GDPR. That way lies certain trouble.